W3C

- DRAFT -

Web Application Security Working Group Teleconference

12 Mar 2014

Agenda

See also: IRC log

Attendees

Present
mkwst, gmaone, neilm, BHill, freddyb, grobinson, +1.720.897.aabb, ekr, glenn, terri, jww, +1.831.246.aacc, dveditz, +1.781.262.aadd
Regrets
Chair
bhill2, ekr
Scribe
bhill2

Contents


<trackbot> Date: 12 March 2014

<freddyb> oh right. timezones....

<wseltzer> Agenda

<scribe> Meeting: WebAppSec Teleconference 12-Mar-2014

<freddyb> Zakim: ??P15 is freddyb

<jww> jww is the 510 #

<freddyb> thanks gmaone :)

<grobinson> Are these "scribe instructions" up to date? http://www.w3.org/2008/04/scribe.html

yes, pretty much

I usually handle the start/end bits

we just need transcription during the call

<scribe> agenda: http://lists.w3.org/Archives/Public/public-webappsec/2014Mar/0024.html

Minutes Approval

http://www.w3.org/2011/webappsec/draft-minutes/2014-02-26-webappsec-minutes.html

<jww> zaim, +1.510.761.aaaa is jww

RESOLUTION: Minutes approved

Agenda Bashing

[integrity] What should we hash?

http://lists.w3.org/Archives/Public/public-webappsec/2014Mar/0023.html

<grobinson> freddyb: hoping this is well-defined elsewhere; mark nottingham or boris zbarsky might have a solution

<grobinson> abarth: need a good way to specify the body of the entity (wording)

<mkwst> grobinson: that's me, not mkwst. :)

<grobinson> sorry!

<mkwst> no worries!

<grobinson> mkwst: let's let this play out on the list

Call for Consensus: Subresource Integrity to FPWD.

http://lists.w3.org/Archives/Public/public-webappsec/2014Mar/0021.html

<grobinson> mkwst: objections to FPWD?

<scribe> ACTION: bhill2 to open SRI issues in tracker from spec text [recorded in http://www.w3.org/2014/03/12-webappsec-minutes.html#action01]

<trackbot> Created ACTION-165 - Open sri issues in tracker from spec text [on Brad Hill - due 2014-03-19].

<grobinson> dveditz: general concern, this could be used for tracking

<grobinson> dveditz: may want to note it so it's there when someone else brings it up

<grobinson> mkwst: we should add "privacy considerations"

<scribe> ACTION: mkwst to add an explicit "Privacy Considerations" section to SRI [recorded in http://www.w3.org/2014/03/12-webappsec-minutes.html#action02]

<trackbot> Error finding 'mkwst'. You can review and register nicknames at <http://www.w3.org/2011/webappsec/track/users>.

<mkwst> mwest2, i think

ACTION mwest2 to add an explicit "Privacy Considerations" section to SRI

<trackbot> Created ACTION-166 - to add an explicit "privacy considerations" section to sri [on Mike West - due 2014-03-19].

<grobinson> bhill2: motion to approve?

dveditz moves to approve, ekr seconds

<grobinson> no objections; resolve to publish FPWD

RESOLUTION: WG to publish Subresource Integrity as FPWD

Meta tag verification

http://lists.w3.org/Archives/Public/public-webappsec/2014Mar/0008.html

<grobinson> Thread digressed into question: can adding CSP policies weaken, or only strengthen?

<grobinson> jww: clarify proposed meta-hash directive is optional

<grobinson> bhill2: heuristic is to see if 2 people speak up in support of a proposal

<grobinson> dveditz: not totally in favor, but interested. currently wants policy where meta policy is ignored if there is a header policy

<grobinson> dveditz: proposes similar idea using a nonce from the header

<grobinson> dveditz: prefer to see this discussed in 1.2

<grobinson> jww: concurs

Removal of the note about extensions

<grobinson> bhill2: asks mkwst if the spec is updated to match agreement from last call

<grobinson> mkwst: it is

<glenn> concur

Remove paths from CSP?

<mkwst> Language in the spec is "Note that user agents may allow users to modify or bypass policy enforcement through user preferences, bookmarklets, third-party additions to the user agent, and other such mechanisms.", FYI.

<grobinson> no objections to current language re: extensions

<grobinson> bhill2: we can keep discussing this in last call if necessary

http://lists.w3.org/Archives/Public/public-webappsec/2014Mar/0006.html

<freddyb> (I have to leave early today)

<grobinson> mkwst: sums up current state. says he is behind on drafting language for the spec

Summary of Action Items

[NEW] ACTION: bhill2 to open SRI issues in tracker from spec text [recorded in http://www.w3.org/2014/03/12-webappsec-minutes.html#action01]
[NEW] ACTION: mkwst to add an explicit "Privacy Considerations" section to SRI [recorded in http://www.w3.org/2014/03/12-webappsec-minutes.html#action02]
 
[End of minutes]

Minutes formatted by David Booth's scribe.perl version 1.138 (CVS log)
$Date: 2014-03-12 15:31:19 $

Scribe.perl diagnostic output

[Delete this section before finalizing the minutes.]
This is scribe.perl Revision: 1.138  of Date: 2013-04-25 13:59:11  
Check for newer version at http://dev.w3.org/cvsweb/~checkout~/2002/scribe/

Guessing input format: RRSAgent_Text_Format (score 1.00)

Succeeded: s/abarth/mkwst/
No ScribeNick specified.  Guessing ScribeNick: bhill2
Inferring Scribes: bhill2
Default Present: mkwst, gmaone, neilm, BHill, freddyb, grobinson, +1.720.897.aabb, ekr, glenn, terri, jww, +1.831.246.aacc, dveditz, +1.781.262.aadd
Present: mkwst gmaone neilm BHill freddyb grobinson +1.720.897.aabb ekr glenn terri jww +1.831.246.aacc dveditz +1.781.262.aadd
Agenda: http://lists.w3.org/Archives/Public/public-webappsec/2014Mar/0024.html
Found Date: 12 Mar 2014
Guessing minutes URL: http://www.w3.org/2014/03/12-webappsec-minutes.html
People with action items: bhill2 mkwst

WARNING: Input appears to use implicit continuation lines.
You may need the "-implicitContinuations" option.


[End of scribe.perl diagnostic output]